test(core,adms): cover aclose idempotency, exception-path cleanup, OBO/CC cache isolation

adwitiyasushant · adwitiyasushant · commit d3db5790737b · 2026-06-02T22:46:11.000+05:30
- AsyncHttpClient: assert __aexit__ runs aclose when the body raises;
  assert real httpx.AsyncClient.aclose is safe to call twice (the
  protocol can result in double-cleanup in caller code).
- AsyncAdmsHttp: same exception-path coverage; assert aclose is
  idempotent on the owned client.
- IasTokenFetcher: assert interleaving get_token (cached) and
  exchange_token (not cached) keeps the two grant types isolated —
  no cache-key collision and exactly one client_credentials IAS hit
  across the sequence. Guards the OBO privilege boundary against a
  future regression where someone adds caching to exchange_token.
diff --git a/tests/adms/unit/test_client.py b/tests/adms/unit/test_client.py
@@ -252,6 +252,30 @@ async def test_context_manager_closes_client(self, config):
 
         mock_client.aclose.assert_called_once()
 
+    @pytest.mark.asyncio
+    async def test_context_manager_closes_client_on_exception(self, config):
+        fetcher = _make_token_fetcher(config)
+        mock_client = AsyncMock(spec=httpx.AsyncClient)
+
+        with pytest.raises(RuntimeError, match="boom"):
+            async with AsyncAdmsHttp(config=config, token_fetcher=fetcher, client=mock_client):
+                raise RuntimeError("boom")
+
+        mock_client.aclose.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_aclose_idempotent_on_owned_client(self, config):
+        fetcher = _make_token_fetcher(config)
+        mock_client = AsyncMock(spec=httpx.AsyncClient)
+
+        http = AsyncAdmsHttp(config=config, token_fetcher=fetcher, client=mock_client)
+        await http.aclose()
+        await http.aclose()  # second call must not raise; httpx tolerates double aclose
+
+        # The owned client may be closed once or twice — both are valid.
+        # What matters is no exception is propagated.
+        assert mock_client.aclose.await_count >= 1
+
     @pytest.mark.asyncio
     async def test_with_user_jwt_shares_underlying_client(self, config):
         fetcher = _make_token_fetcher(config)
diff --git a/tests/core/unit/auth/test_ias_fetcher.py b/tests/core/unit/auth/test_ias_fetcher.py
@@ -146,3 +146,37 @@ def test_grant_type_is_client_credentials(self, fetcher, mock_session):
         assert payload["grant_type"] == "client_credentials"
         assert payload["client_id"] == "client-id"
         assert payload["client_secret"] == "client-secret"
+
+    def test_obo_and_cc_caches_are_isolated(self, fetcher, mock_session):
+        """Interleaving ``get_token`` (cached) with ``exchange_token`` (not cached)
+        must not collide on a shared cache key.
+
+        Why: OBO tokens are scoped to a specific end-user JWT; sharing them
+        across users would be a privilege boundary violation.  CC tokens are
+        the application's own credential and should be cached for reuse.
+        A naive single-key cache would either leak OBO tokens to CC callers
+        or cache-bust CC on every OBO call.
+        """
+        mock_session.post.side_effect = [
+            _make_token_response("cc-token"),     # first get_token → IAS hit
+            _make_token_response("obo-token-a"),  # exchange_token(jwt_a) → IAS hit
+            _make_token_response("obo-token-b"),  # exchange_token(jwt_b) → IAS hit
+        ]
+
+        cc1 = fetcher.get_token()
+        obo_a = fetcher.exchange_token("jwt-a")
+        cc2 = fetcher.get_token()             # must hit cache → no extra IAS call
+        obo_b = fetcher.exchange_token("jwt-b")
+
+        assert cc1 == cc2 == "cc-token"
+        assert obo_a == "obo-token-a"
+        assert obo_b == "obo-token-b"
+        # 1 CC fetch (cached on second call) + 2 OBO fetches (never cached) = 3.
+        assert mock_session.post.call_count == 3
+
+        cc_grant_calls = [
+            call for call in mock_session.post.call_args_list
+            if call[1]["data"]["grant_type"] == "client_credentials"
+        ]
+        assert len(cc_grant_calls) == 1
+
diff --git a/tests/core/unit/http/test_async_client.py b/tests/core/unit/http/test_async_client.py
@@ -50,6 +50,26 @@ async def test_aexit_closes_client(self, mock_httpx_client):
             pass
         mock_httpx_client.aclose.assert_awaited_once()
 
+    @pytest.mark.asyncio
+    async def test_aexit_closes_client_on_exception(self, mock_httpx_client):
+        c = AsyncHttpClient(base_url="https://api.example.com", client=mock_httpx_client)
+        with pytest.raises(RuntimeError, match="boom"):
+            async with c:
+                raise RuntimeError("boom")
+        mock_httpx_client.aclose.assert_awaited_once()
+
+    @pytest.mark.asyncio
+    async def test_aclose_is_idempotent(self):
+        # Use a real httpx.AsyncClient — its aclose() must tolerate repeated calls
+        # because the context-manager protocol can result in double-cleanup
+        # (explicit aclose + __aexit__) in caller code.
+        real_client = httpx.AsyncClient()
+        c = AsyncHttpClient(base_url="https://api.example.com", client=real_client)
+        async with c:
+            pass
+        # Second close after __aexit__ already ran — must not raise.
+        await real_client.aclose()
+
 
 class TestAsyncHttpClientGet:
     @pytest.mark.asyncio
